Exodus Android spyware discovered in Apple’s iOS platform

Android version of Exodus malware finds its way to iOS devices

Researchers at cybersecurity firm Lookout recently discovered an iOS version of a powerful mobile phone spyware tool that is aimed at targeting iPhone users.

Last month, researchers from a non-profit security organization, ‘Security Without Borders’, had reported the discovery of several Android versions (nearly 25) of the same malware, which they dubbed as ‘Exodus’, being uploaded to Google’s Play Store. When Google was notified of the problem, the search giant removed the infected applications disguised as service apps from Italian mobile operators.

Under development for at least five years, Exodus for Android consists of three distinct stages. First, there is a small dropper that collects basic info about a targeted device such as an IMEI number, phone number, and GPS location. The second stage consists of multiple binary packages where most of the surveillance functionalities are implemented. Finally, the third stage uses the DirtyCOW exploit (CVE-2016-5195) to obtain root privileges on a targeted device.

Once successfully installed, Exodus for Android can carry out an extensive amount of surveillance. The malware is designed to keep running on the infected device even when the screen is switched off.

The spyware that was initially developed to target Android devices now seems to have found a way onto iPhones, report Lookout, and Security Without Borders. Researchers believe this malware is distributed as so-called ‘lawful intercept’ software, which is generally used by law enforcement and governments.

The malicious software disguised itself as a carrier assistance app which once installed can secretly steal victim’s contacts, photos, videos and audio recordings, GPS information and their real-time location data. An attacker could also use the app to listen to audio recordings of the victims.

According to Lookout, the iOS versions of the malware were available outside the App Store through phishing sites, that replicated Italian and Turkmenistani mobile carriers.

“Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port. So far, this software (along with the Android version) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers.” reads the analysis published by Lookout.

The phishing sites tricked users into believing that they are legit portals from mobile carriers. While it is difficult to bypass Apple’s App Store, it seems the developer abused their Apple-issued Developer Enterprise program certificates to infect unsuspecting victims.

“The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary, in­house apps to their employees without needing to use the iOS App Store,” Lookout researchers explained. “A business can obtain access to this program only provided they meet requirements set out by Apple. It is not common to use this program to distribute malware, although there have been past cases where malware authors have done so.”

The iOS variant of Exodus uploaded the stolen information to the same server as the Android malware, suggesting that it is the work of an Italian company called eSurv, which is focused on video surveillance software and image recognition systems. eSurv, which was once a business unit of Connexxa, a known provider of surveillance tools to Italian authorities, has been developing the spyware since at least 2016, according to Security Without Borders.

However, the iOS versions are not as sophisticated as Android malware. “The iOS version can only exfiltrate a limited set of data as it is limited to data it can access via iOS APIs,” said Christoph Hebeisen, senior manager of security intelligence at Lookout.

After researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, preventing malicious apps from being installed on new iPhones and unable to run on infected devices.

While Exodus for Android has likely infected “several hundred if not a thousand or more” devices, it’s not clear how many Apple users were affected with the iOS variant of the malware.